Logs belong in the visible data type category, which can be anything from:
Examples include events pertaining to system access, security alerts, the duration of a user’s login session, when the device was shut down, etc.
Typically, OS logs are stored in a particular system directory (the exact location depends on the operating system in use).
Since they mostly reveal what changes were made to a particular database, these can be a vital source of crime evidence as well as a useful approach for debugging and troubleshooting in the unfortunate event of any technical issues with the database in question.
At any rate, professional industry-grade tools like DBF by SalvationDATA will help you waltz through any kind of database encryption like it’s nothing, all while giving you an insight into a wide array of digital crime without requiring expertise whatsoever.
Often presented in a CSV format, email logs can reveal certain details about the sender and content, which includes their email address, time and date of delivery, delivery status, cc, bcc, subject, content type, and error codes (if applicable), while mostly stored in the email’s header.
As we’ve elaborated in our latest email forensics guide, many cyber criminals use email as their go-to communication channel for the purposes of extortion, financial crime, and distributing illegal materials.
Alongside email logs, any file attachments also count as one of the evidence types, so they should be closely examined, right along with the server logs through which the email was sent.
Just like the OS logs, so too do certain software logs count as one of the most important sources of digital evidence.
Among other things, they contain details regarding what action was performed while the program was running as well as indicate any errors or crashes that can be used for debugging purposes.
Every software can store these in its own pre-defined location, which may or may not be the installation directory.
These can be viewed as different types of evidence because they also contain clues about what an individual was doing on the internet, including what websites that person has visited, what messages were exchanged with another party, and what the content of the messages was.
A digital forensics examiner should let evidence reveal the truth, so be on the lookout for timestamps and IP addresses – two crucial evidence types that will serve as proof in a court of law.
Door access records
In case the investigation involves analyzing smart home or corporate security and finding out who accessed the premises and at what time, door access records are good crime scene evidence examples of digital nature that will help you solve complex property-related cases like burglary.
A phone’s infrastructure encompasses various kinds of evidence, including photos taken, videos recorded, system logs, app logs, and call logs, the latter of which contain crucial details such as the duration of a call, inbound and outbound numbers, etc.
Mobile forensics experts also analyze and examine other types of digital evidence that can be found on a mobile device, including geo indicators (where the device has traveled) and EXIF data the photos may store.
Since everyone who browses the internet gets assigned a unique IP address, knowing this crucial detail allows a digital forensics investigator to trace their real identity and physical location by cooperating with ISPs.
IP logs are often a crucial source of evidence when trying to hunt down a cyber-criminal.
These kinds of logs are like digital journal that records the events taking place on a server. Examples include IP addresses that connected to the server at any point in time and also the duration of each session, any error logs, usernames that were used during the time of access, etc.
Drilling further down into sub-categories of server logs, these can be error logs, availability logs, resource logs, event logs, change logs, authorization logs, system logs, and threat logs…
There are many forensic categories of devices where evidence can be found, and each device can generate a unique fingerprint that consists of its hardware specs, the OS it’s running (down to the exact version), and even other odd bits and pieces such as the graphics drivers it’s running or what fonts are installed.
Therefore, even if a cybercriminal attempts to mask their IP when connecting to a server, the device fingerprint can be collected regardless.
To effectively conduct log forensics, the key thing a log forensics investigator should know about logs of any kind is that they are automatically placed on the device, either by some kind of software that is installed or by the operating system itself.
Their primary purpose is not only to record the events that happened within the scope of the user’s actions but also automated processes such as updates and maintenance and other system events.
At the same time, software and system logs also contain a wealth of information about access or security errors as well as warnings and notifications.
2. Video footage and images
Out of all the types of digital evidence, video footage and images can be classified as the visible data type, just like the logs we discussed earlier.
There are many types of digital evidence that fall into this category, including CCTV footage, videos recorded on a mobile device, digital camera footage, voice recordings, etc.
However, unlike your typical logs, multimedia files may require specialized tools to investigate that go beyond typical multimedia players.
Retrieving video evidence – a practical example
To give you a practical example, let’s suppose your law enforcement department is tasked with having to retrieve CCTV footage from a no-name brand surveillance system. Even if you manage to dismantle the device and retrieve the files in a forensically sound manner, you’re still going to need to find a way to open them somehow to examine their contents.
Therein lies the first problem.
Since surveillance systems are known to use their own file systems that often go outside of the scope of the ordinary (you’ll rarely see beyond MPG, MP4, or AVI files), your department could find itself spending hours on end trying to find the right playback software to access them and also run into a wide array of video file errors.
And even then, you may jeopardize the entire operation by not following the best digital forensics practices and failing to maintain the chain of custody, which turns out your digital evidence not being admissible.
The solution to inaccessible file format types
Therefore, the only solution that is viable in practice is employing a professional video forensics tool like VIP 2.0 by SalvationDATA.
Since it supports all the formats used by almost any DVR and NVR device in existence, you will be able to crack the case in record time by accessing a wide array of file formats without issues, all while preserving the integrity of the files, built-in reporting, and 24/7 access to customer support.
Also, VIP 2.0 comes with integrated recognition features such as motion detection, thus allowing you to automatically find the exact section of the video footage that contains valuable digital evidence for your case.